Merge pull request #46 from jraqula/master

Allow an AccessDenied error to carry context about the rejection
chaps-io · Apr 28, 2018 · 66c1341 · 66c1341
2 parents 420d0d4 + cd1327f
commit 66c1341
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -212,6 +212,26 @@ class ApplicationController < ActionController::Base
 end
 ```
 
+You can also extract the action and subject which raised the error,
+if you want to handle authorization errors differently for some cases:
+```ruby
+  rescue_from "AccessGranted::AccessDenied" do |exception|
+    status = case exception.action
+      when :read # invocation like `authorize! :read, @something`
+        403
+      else
+        404
+      end
+
+    body = case exception.subject
+      when Post # invocation like `authorize! @some_action, Post`
+        "failed to access a post"
+      else
+        "failed to access something else"
+      end
+  end
+```
+
 #### Checking permissions in controllers
 
 To check if the user has a permission to perform an action, use the `can?` and `cannot?` methods.

diff --git a/lib/access-granted/exceptions.rb b/lib/access-granted/exceptions.rb
@@ -3,5 +3,11 @@ class Error < StandardError; end
 
   class DuplicatePermission < Error; end;
   class DuplicateRole < Error; end;
-  class AccessDenied < Error; end;
+  class AccessDenied < Error
+    attr_reader :action, :subject
+    def initialize(action = nil, subject = nil)
+      @action = action
+      @subject = subject
+    end
+  end
 end
diff --git a/lib/access-granted/policy.rb b/lib/access-granted/policy.rb
@@ -58,7 +58,7 @@ def cannot?(*args)
 
     def authorize!(action, subject)
       if cannot?(action, subject)
-        raise AccessDenied
+        raise AccessDenied.new(action, subject)
       end
       subject
     end

diff --git a/spec/controller_methods_spec.rb b/spec/controller_methods_spec.rb
@@ -21,7 +21,11 @@
 
   describe "#authorize!" do
     it "raises exception when authorization fails" do
-      expect { @controller.authorize!(:read, String) }.to raise_error(AccessGranted::AccessDenied)
+      expect { @controller.authorize!(:read, String) }.to raise_error do |err|
+        expect(err).to be_a(AccessGranted::AccessDenied)
+        expect(err.action).to eq(:read)
+        expect(err.subject).to eq(String)
+      end
     end
 
     it "returns subject if authorization succeeds" do

diff --git a/spec/policy_spec.rb b/spec/policy_spec.rb
@@ -136,7 +136,11 @@ def configure
       end
 
       it "raises AccessDenied if action is not allowed" do
-        expect { klass.new(@member).authorize!(:create, Integer) }.to raise_error AccessGranted::AccessDenied
+        expect { klass.new(@member).authorize!(:create, Integer) }.to raise_error do |err|
+          expect(err).to be_a(AccessGranted::AccessDenied)
+          expect(err.action).to eq(:create)
+          expect(err.subject).to eq(Integer)
+        end
       end
 
       it "returns the subject if allowed" do